On Fri, Oct 2, 2015 at 8:24 AM, Salz, Rich <rs...@akamai.com> wrote: > > > 1) We know CRIME threat, but it can not be risk for everyone. > > e.g., CVSS v2 Base Score: 2.6 (LOW) > > CVSS isn't always appropriate; CVSS2 called Heartbleed a 5; CVS v3 called > it 7.5 > > > Which one is safer, "tls1.2" v.s. "tls1.3 with comp/decomp" ? > > They are equivalent. If you use AES-GCM and ECDHE, and you don't need > 0RTT, then there is no compelling reason to use TLS 1.3.
I don't want to take a position on what's compelling or not, but there are a number of other reasons to use TLS 1.3, including support for real padding, encrypted content types, privacy for client authentication, etc. -Ekr > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
